View
3
Download
0
Category
Preview:
Citation preview
Steven SchmidtSenior Consultant & Trainer Security Solutions, Unified Comms
Christian Etzold© 2011 Netfarmers GmbH 1
Christian EtzoldSenior System Engineer
Gegründet 2005 - NETFARMERS GmbH
Fokus Cisco / Juniper / PaloAlto
Schulungen:- herstellerzertifizierte Trainings für verschiedene Learning Partner (Cisco/Juniper)
eigenentwickelte Workshops- eigenentwickelte Workshops
Consulting:- Beratungs- Implementierungs- und Schulungsdienstleistungen im High-End Networking- Beratungs-, Implementierungs- und Schulungsdienstleistungen im High-End Networking - IP-Kommunikation, Internetworking, drahtlose Netzwerke und Netzwerksicherheit - Fokus: Voice und Security, speziell mit dem Hersteller Cisco Systems
Service & Support:- 2nd und 3rd Level Troubleshooting
Projektgeschäft:- Projektleitung - Projektdurchführung j g- Ausschreibungserstellung und –begleitung
• Security Solutions
© 2011 Netfarmers GmbH. 2
• Network Management• Unified Communications
Palo Alto NetworksRe-Inventing Network Securityg y
It’s Time To Fix The Firewall ?!It s Time To Fix The Firewall ?!
Christian EtzoldSenior System Engineer
About the speaker
• Christian Etzold, Senior Systems Engineer
• > 15 years security experience
• Informatik Studium – Diploma Thesis about advanced IDS systems, Mail Administrator FH Rosenheim (studentische Hilfskraft)( )
• ODS Networks / Intrusion (1998: first host based IDS system - CMDS)
• Rainfinity Systems / EMC2 (2001: Loadbalancing Software for FWs)• Rainfinity Systems / EMC (2001: Loadbalancing Software for FWs)
• IronPort Systems / Cisco Systems (2004: Email / Websecurity / Encryption)
P l Alt N t k (2010 N t G ti Fi ll )• Palo Alto Networks (2010: Next Generation Firewalls)
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 4 |
About Palo Alto Networks
• Palo Alto Networks is the Network Security Company
• World class team with strong security and networking experience• World-class team with strong security and networking experience
- Founded in 2005, first customer July 2007, top-tier investors
• Builds next-generation firewalls that identify / control 1,300+ applications
- Restores the firewall as the core of enterprise network security infrastructure
- Innovations: App-ID™, User-ID™, Content-ID™
• Global momentum: 4 500+ customers• Global momentum: 4,500+ customers
- August 2011: Annual bookings run rate is over US$200 million*, cash-flow positive last five consecutive quarters
A few of the many enterprises that have deployed more than $1M
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 5 | (*) Bookings run rate is defined as 4 (four) times the bookings amount of the most recently finished fiscal quarter. Bookings are defined as non-cancellable orders received during the fiscal period. Palo Alto Networks’ fiscal year runs from August 1st until July 31st.
A few of the many enterprises that have deployed more than $1M
The Internet World Anno 1995
• Virtually no application traffic, no known threatsy pp
• Simple assumptions worked; HTTP traffic = browsing
Fi ll b k i l ffi f i i• Firewalls were born to keep simple traffic from coming in or going out; in 15 years time it became a $5B industry
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 6 |
Security v1.0 Response: Rip Holes in Firewall
• BackgroundTraditional Applications• DNS• Gopher
Dynamic Applications• FTP• RPC
• Appeared mid 1980’s
• Typically embedded in routers
Gopher• SMTP• HTTP
RPC• Java/RMI• Multimedia
• Classify individual packets based on port numbers
• Challenge
• Could not support dynamic applications
• Flawed solution was to open large groups of ports
Internet• Opened the entire network to
attack
Security v2.0: Stateful Inspection
• BackgroundTraditional Applications• DNS• Gopher
Dynamic Applications• FTP• RPC
• Innovation created Check Point in 1994
• Used state table to fix
Gopher• SMTP• HTTP
RPC• Java/RMI• Multimedia
Used state table to fix packet filter shortcomings
Cl ifi d t ffi b d
Evasive Applications• Encrypted• Web 2.0• P2P • Classified traffic based
on port numbers but in the context of a flow
• P2P• Instant Messenger• Skype• Music
• Challenge
• Games• Desktop Applications• Spyware• Crimeware
Internet
• Cannot identify Evasive Applications
• Embedded throughout
Crimeware
• Embedded throughout existing security products
The Internet World Anno 2010
• Many applications; many more threatsy pp y
• Applications are evasive and are the #1 threat vector
T di i l fi ll d f l d ff i• Traditional firewalls are defenseless and offer no protection to enterprises
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 9 |
How Do You Protect Your Network?
© 2010 Palo Alto Networks. Proprietary and Confidential.
FirewallsFirewalls
Applications Have Changed; Firewalls Have Not
The gateway at the trustb d i th i ht l tborder is the right place toenforce policy control
• Sees all traffic
• Defines trust boundary
BUT…applications have changed
• Ports ≠ Applications
• IP Addresses ≠ Users
• Packets ≠ Content
Need to restore visibility and control in the firewall
• Packets ≠ Content
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 12 |
y
Application Based Firewall
stateful inspection – legacy firewallstcp/443tcp/443
What’s really going ony g g
© 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 13 |
App-ID is Fundamentally Different • Sees all traffic across all ports
• Scalable and extensible
• Always on, always the first action
• Built-in intelligence Scalable and extensibleBuilt in intelligence
© 2010 Palo Alto Networks. Proprietary and Confidential.Much more than just a signature….
Technology Sprawl & Creep Are Not The Answer
InternetInternet
• “More stuff” doesn’t solve the problemp
• Firewall “helpers” have limited view of traffic
C l d tl t b d i t i• Complex and costly to buy and maintain• Putting all of this in the same box is just slow
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 15 |
Traditional Systems Have Limited Understanding
Some port‐based apps caught by firewalls (if they behave!!!)
Some web‐based apps caught by URL filtering or proxy
Some evasive apps caught by an IPS
None give a comprehensive view of what is going on in the networkwhat is going on in the network
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 16 |
Applications Carry RiskApplications can be “threats”
• P2P file sharing tunnelingApplications carry threats
• SANS Top 20 Threats majority• P2P file sharing, tunneling applications, anonymizers, media/video
• SANS Top 20 Threats – majority are application-level threats
Applications & application-level threats result in major breaches – Pfizer, VA, US Army
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 17 |
Firewall Blades?
• Will identify 50,000 applications…44 500 are social networking widgets- 44,500 are social networking widgets
- “Real” applications are a mix of clients and servers
• More is not “better”- Visibility requires you to enable every signature – what’s not ID’ed is allowedy q y y g
- Policy control will be limited and cumbersome
- Performance will crater when Application Control blade is enabled
• A UTM feature ADDED to the firewall…reiterate the value of App-ID
© 2010 Palo Alto Networks. Proprietary and Confidential.
The Right Answer: Make the Firewall Do Its Job
New Requirements for the Firewall
1 Identify applications regardless of port1. Identify applications regardless of port, protocol, evasive tactic or SSL
2 Identify users regardless of IP address2. Identify users regardless of IP address
3. Protect in real-time against threats gembedded across applications
4. Fine-grained visibility and policy control4. Fine grained visibility and policy control over application access / functionality
5. Multi-gigabit, in-line deployment with no5. Multi gigabit, in line deployment with no performance degradation
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 19 |
Identification Technologies Transform the Firewall
•App ID™•App-ID™
•Identify the application
•User-ID™
•Identify the user
•Content-ID™Content ID
•Scan the content
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 20 |
Application Control Center
Central location to viewCentral location to view the state of the Network
© 2009 Palo Alto Networks. Proprietary and Confidential 2.1-bPage 21 |
Comprehensive View of Applications, Users & Content• Application Command
Center (ACC)Vi li i URL- View applications, URLs, threats, data filtering activity
• Add/remove filters to• Add/remove filters to achieve desired result
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 22 | Filter on Facebook-base Filter on Facebook-baseand user cook
Remove Facebook to expand view of cook
Palo Alto Networks Controls the Threat Vector
• Simple yet• Simple, yet powerful control of 1300+of 1300+ applications –block or allow butblock, or allow but scan for threats
Your Control With legacy Firewalls and IPS
Design and Implementation of theDesign and Implementation of the
Palo Alto Networks Firewall™Palo Alto Networks Firewall™Version 4.0
PAN-OS Core Firewall FeaturesVisibility and control of applications, users and content
complement core firewall features
• Strong networking foundationDynamic routing (BGP OSPF RIPv2)
• Zone-based architecture- All interfaces assigned to security- Dynamic routing (BGP, OSPF, RIPv2)
- Tap mode – connect to SPAN port- Virtual wire (“Layer 1”) for true
transparent in-line deployment
- All interfaces assigned to security zones for policy enforcement
• High AvailabilityA ti / ti
PA-4060
p p y- L2/L3 switching foundation- Policy-based forwarding
VPN
- Active / active- Configuration and session
synchronizationP th li k d HA it i
PA-4050
• VPN- Site-to-site IPSec VPN - SSL VPN / GlobalProtect
- Path, link, and HA monitoring
• Virtual SystemsEstablish multiple virtual firewalls
PA-4020
• QoS traffic shaping- Max/guaranteed and priority
- Establish multiple virtual firewalls in a single device (PA-4000 and PA-2000 Series only)
• Simple, flexiblePA 2020
PA-2050
- By user, app, interface, zone, & more- Real-time bandwidth monitor
Simple, flexible management
- CLI, Web, Panorama, SNMP, SyslogPA 500
PA-2020
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 26 |
y gPA-500
PA-5000 Series Architecture
Signature Match HW Engine• Highly available mgmt RAM RAMSignature Match HW Engine• Stream‐based uniform sig. match• Vulnerability exploits (IPS), virus, spyware, CC#, SSN, and more
g y g• High speed logging and route update
• Dual hard drivesSignature Match
Signature MatchRAM
RAM
RAM
RAM
• 40+ processors• 30+ GB of RAM
10Gbps 10Gbps
Quad‐coreCPU
RAM
RAMRAM RAM
RAM RAMRAM
30 GB of RAM• Separate high speed data and
control planes
Control Plane
... ......
SSL IPS De‐ SSL IPS De‐SSL IPS De‐
CPU CPU12
CPU1
CPU2
CPU12
CPU1
CPU2
CPU12
CPU1
CPU2
HDD
HDDRAM
RAM
RAM
RAM
RAM
RAM
• 20 Gbps firewall throughput• 10 Gbps threat prevention throughput
• 80 Gbps switch fabric i Security Processors
20Gbps
Control Plane SSL IPSec Compress. SSL IPSec Compress.SSL IPSec Compress.10 Gbps threat prevention throughput
• 4 Million concurrent sessions
interconnect• 20 Gbps QoS engine
Security Processors• High density parallel processing for flexible security functionality
• Hardware‐acceleration for
Network Processor• 20 Gbps front‐end network Flow
control
Route, ARP, MAC NAT
Switch standardized complex functions (SSL, IPSec, decompression)
processing• Hardware accelerated per‐packet route lookup, MAC lookup and NATData PlaneSwitch Fabric
QoScontrol MAC
lookupSwitchFabric
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 27 |
Single‐Pass Parallel Processing (SP3) Architecture
Single PassOperations once per• Operations once per packet
- Traffic classification (app f )identification)
- User/group mapping
- Content scanning – threats- Content scanning threats, URLs, confidential data
• One policy
Parallel Processing• Function‐specific h d ihardware engines
• Separate data/control planes
Up to 10Gbps, Low Latency
p
Flexible Deployment OptionsVisibility Transparent In-Line Firewall Replacement
• Application, user and content visibility without inline
• IPS with app visibility & control• Consolidation of IPS & URL
• Firewall replacement with app visibility & control
deploymentConsolidation of IPS & URL filtering • Firewall + IPS
• Firewall + IPS + URL filtering
© 2010 Palo Alto Networks. Proprietary and Confidential.Page 29 |
Q&AQ&A
Christian EtzoldChristian EtzoldSenior System Engineer
Hochschule Magdeburg
Recommended